Privacy Policy
Effective Date: pending — Last Updated: pending
This Privacy Policy describes how Phareon LLC (“Phareon,” “CollegeRoster,” “we,” “us,” or “our”), a Tennessee limited liability company, collects, uses, shares, and protects personal information when you use the CollegeRoster platform, website, and related services (collectively, the “Service”). It also describes your privacy rights under applicable law.
If you are a parent or guardian of a minor user (ages 13–17), please review the sections below that describe our guardian-verification model and the rights you hold with respect to your minor's account.
1. Information We Collect
We collect different categories of personal information depending on how you use the Service and the role you hold (athlete, parent, coach, recruiter, admin).
1.1 Information You Provide Directly
| Category | Examples |
|---|---|
| Account Information | Name, email address, password (hashed), account type / role |
| Profile Information | Sport(s), graduation year, school or club name, position, height/weight, GPA, academic interests, recruiting class, contact preferences |
| Media Content | Highlight videos, photos, profile images, and any other files you upload |
| Communications | Messages sent through the platform's in-app messaging, support tickets, feedback forms |
| Guardian-Verification Records | For accounts associated with minor users (ages 13–17): parent/guardian name, email, verification method, date of verification |
| Payment Information | Billing name, billing address; payment card details are processed and stored by Stripe — we do not receive or retain full card numbers |
| Identity Verification (Coach/Recruiter) | School or institution affiliation, coaching role documentation submitted to verify claimed role |
1.2 Information Collected Automatically
| Category | Examples |
|---|---|
| Device and Access Information | IP address, browser type, operating system, device identifiers |
| Usage and Log Data | Pages visited, features used, timestamps, session duration, search queries within the Service, click events |
| Cookies and Similar Technologies | See Section 12 for detail on cookies we use |
| Video Playback Analytics | Play counts, watch duration, and viewer geography for hosted video content, provided by Bunny Stream |
1.3 Derived Data and Analytics
We may derive analytical information from the data described above, including:
- Athlete profile completeness scores and engagement metrics
- Aggregated and anonymized sport/graduation-year cohort statistics (used to improve the Service)
- Interaction metrics (profile views, video plays) shared with the profile owner in their analytics dashboard
We do not use derived analytics to make automated decisions with legal or significant effects on any individual user without human review.
1.4 Information from Third Parties
| Source | What We Receive |
|---|---|
| Stripe | Payment confirmation, subscription status, and billing failure notifications — not full payment card data |
| Bunny Stream | Video delivery analytics for videos you upload |
We do not purchase marketing lists or obtain personal information from data brokers for the purpose of building athlete profiles.
2. How We Collect Information
- Directly from you, when you create an account, complete your profile, upload content, send messages, or contact us.
- Automatically, through your use of the Service via cookies, log files, and analytics tools embedded in the platform.
- From our service providers, specifically Stripe (for payment processing outcomes) and Bunny Stream (for video analytics).
3. Why We Collect — Purposes and Lawful Bases
We process personal information for the following purposes. For users in the European Economic Area, United Kingdom, or other jurisdictions requiring a lawful basis, the applicable basis is noted in brackets.
| Purpose | Lawful Basis (GDPR-relevant jurisdictions) |
|---|---|
| Providing and operating the Service — account creation, profile hosting, messaging, video delivery | Contract performance (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Contract performance (Art. 6(1)(b)) |
| Security, fraud prevention, and abuse detection | Legitimate interest (Art. 6(1)(f)) — our interest in platform integrity and user safety |
| Product analytics, bug fixing, and Service improvement | Legitimate interest (Art. 6(1)(f)) — our interest in improving the Service |
| Sending transactional communications (receipts, account alerts, platform notifications) | Contract performance / Legitimate interest |
| Sending marketing communications about the Service, new features, or promotions | Consent (Art. 6(1)(a)) — you may opt out at any time |
| Complying with legal obligations (record-keeping, guardian-verification records, law enforcement requests) | Legal obligation (Art. 6(1)(c)) |
| Guardian verification and minor account management (ages 13–17) | Legal obligation + Contract performance |
We never sell personal information to third parties for their own advertising or commercial purposes, including to data brokers or advertising networks.
4. How We Share Information
4.1 Service Providers
We share personal information with vendors who process it on our behalf to provide the Service. These providers are contractually prohibited from using personal information for purposes other than providing services to us.
| Service Provider | What Is Shared | Purpose |
|---|---|---|
| Stripe | Billing name, email, subscription details | Payment processing |
| Supabase | All application data | Database hosting and auth |
| Cloudflare R2 | Uploaded files (photos, documents) | File storage |
| Bunny Stream | Uploaded video files | Video hosting and transcoding |
| Resend | Email address, name | Transactional email delivery |
| Tavily | Search queries within the Service | AI-assisted search features |
4.2 Other Users You Interact With
Depending on your profile visibility settings, your profile information — including name, sport, grad year, school, and uploaded media — may be visible to coaches, recruiters, and other users on the platform. You control visibility settings from your account dashboard.
4.3 Legal and Safety Disclosures
We may disclose personal information when we have a good-faith belief that disclosure is necessary to: (a) comply with a valid legal process (subpoena, court order, or law enforcement request with legal authority); (b) protect the safety, rights, or property of Phareon, our users, or the public; or (c) investigate potential violations of these Terms or applicable law.
Mandatory Reporting: Any content that appears to constitute Child Sexual Abuse Material (CSAM) will be immediately reported to the National Center for Missing and Exploited Children (NCMEC) and applicable law enforcement.
4.4 Business Transfers
If Phareon LLC is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, personal information may be transferred as part of that transaction. We will notify users via email and in-app notice before personal information is transferred to a successor entity.
4.5 Aggregated or De-Identified Data
We may share aggregated or de-identified data — which cannot reasonably identify any individual — with partners, researchers, or the public for product development or industry reporting purposes.
5. Minimum Age and Guardian Verification
5.1 Minimum Age. The Service requires users to be at least 13 years old. We do not knowingly permit children under 13 to create accounts or use the Service. If we learn that a user is under 13, we will promptly close the account and delete any associated personal information.
5.2 Minor Users (Ages 13–17). Users aged 13 through 17 must have a parent or legal guardian complete our guardian-verification process before certain features are enabled.
5.3 Contact for Minor Account Inquiries. Parents or guardians with questions about a minor user's account should contact privacy@collegeroster.org with the subject line “Minor Account — Parental Inquiry.”
6. GDPR and UK GDPR
6.1 Controller Status. For users in the European Economic Area (EEA) and the United Kingdom, Phareon LLC is the data controller of your personal information.
6.2 EU/UK Representative. Phareon LLC does not have an establishment in the EEA or UK and does not target EU/UK residents as the primary audience. CollegeRoster is a US-resident-focused service. Article 27 designation is not required at this time.
6.3 Data Subject Rights. EEA and UK residents have the following rights with respect to their personal information:
- Right of Access (Art. 15): Obtain a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
- Right to Restriction (Art. 18): Ask us to restrict processing while a dispute is pending.
- Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
6.4 How to Submit a DSAR. Email privacy@collegeroster.org with the subject line “Privacy Rights Request.” We will respond within 30 days.
6.5 Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection authority. In the UK, the relevant authority is the Information Commissioner's Office (ICO).
6.6 Lawful Bases. Lawful bases for our processing activities are set out in Section 3 above.
7. California Privacy Rights (CCPA / CPRA)
7.1 Categories of Personal Information Collected. In the past 12 months, we have collected the following categories of personal information:
| CCPA Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Personal information (Cal. Civ. Code § 1798.80(e)) | Name, address (billing), payment info (via Stripe) | Yes |
| Characteristics of protected classifications | Age (for minor-account handling) | Limited |
| Commercial information | Subscription records, purchase history | Yes |
| Internet or electronic network activity | Usage logs, page views | Yes |
| Geolocation data | General location inferred from IP | Limited (city-level only) |
| Inferences drawn from above | Profile engagement scores | Yes |
7.2 Sale and Sharing of Personal Information. We do not sell personal information as defined under the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.
7.3 California Consumer Rights. California residents may exercise their rights by emailing privacy@collegeroster.org or managing preferences via browser settings until our preference center launches. We will respond to verified requests within 45 days.
7.4 Sensitive Personal Information. Under CPRA, the following sensitive personal information may be collected in limited contexts:
- Precise geolocation: Not collected.
- Financial information: Billing name and address only — full payment data is held by Stripe.
- Login credentials: Collected and stored in hashed form — not used for any purpose other than authentication.
- Health/medical data: Not collected. CollegeRoster does not intentionally collect health, biometric, or disability data. Athlete profile fields (height, weight, sport, position) are athletic performance metrics, not medical information.
7.5 Authorized Agents. California residents may designate an authorized agent to submit privacy requests on their behalf. We will require verification that the agent is authorized before processing the request.
8. Other State Privacy Laws
We recognize privacy laws enacted by additional U.S. states and apply their requirements to residents of those states as applicable. Residents of Virginia, Colorado, Connecticut, Utah, and Texas have access, correction, deletion, portability, and opt-out rights under their respective state privacy laws. To exercise any of these rights, contact privacy@collegeroster.org.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data (profile, preferences, settings) | Duration of account plus 7-day backup window (Supabase Pro tier daily snapshots) after deletion request |
| User Content (media, messages) | Duration of account plus 7-day backup window (Supabase Pro tier daily snapshots); immediately removed from public access upon deletion request |
| Payment and billing records | 7 years from transaction date (tax and legal compliance) |
| Access and usage logs | 12 months from collection |
| Security and audit event logs | 7 years (regulatory compliance and fraud investigation) |
| Guardian-verification records | Duration of minor user's account plus 7 years |
| Breach notification records | 7 years |
| Support and communications records | 3 years from last interaction |
10. Security
We implement technical and organizational measures to protect personal information:
- Encryption: Personal data is encrypted at rest and in transit (TLS 1.2+).
- Row-Level Security (RLS): Our Supabase database enforces row-level security policies so users can access only data they are authorized to see.
- Access Controls: Internal access is restricted to personnel who need it. Administrative access requires multi-factor authentication.
- Audit Logging: Material access to and changes in personal data are logged and retained per the schedule in Section 9.
- Breach Notification: We will notify affected users and applicable regulatory authorities within required timeframes (no later than 72 hours for GDPR-relevant incidents).
11. Minor Users' Privacy (Additional Protections)
The Service is not directed to children under 13. We do not knowingly collect personal information from anyone under 13; if we learn a user is under 13 we will close the account and delete their data promptly.
For users aged 13 through 17, we apply the following baseline protections regardless of guardian-verification status:
- We do not display interest-based, targeted, or behavioral advertising to users we know to be under 18.
- We do not allow public disclosure of a minor user's contact information, home address, or school location unless explicitly enabled by a parent or guardian.
- Profile visibility for minor users defaults to restricted until a parent or guardian enables broader visibility.
For any user we know to be under 18, we do NOT sell their personal information, we do NOT share their personal information in exchange for value, and we do NOT use their personal information to deliver targeted advertising.
Parents or guardians with concerns about a minor user's data should contact privacy@collegeroster.org. We will escalate all minor privacy concerns to our privacy lead within 24 hours.
Pending Sub-Processor DPAs. Two of our sub-processors — our video media platform (Bunny Stream) and our transactional email provider (Resend) — currently have Data Processing Addenda pending execution. Personal information from minor users is not transmitted to these sub-processors in ways inconsistent with our obligations until their DPAs are signed. See our internal tracking record (#305) for status.
12. Cookies and Tracking Technologies
| Cookie Category | Purpose | Can You Opt Out? |
|---|---|---|
| Essential / Strictly Necessary | Authentication, session management, security (CSRF protection) | No — required for the Service to function |
| Functional | User preference storage (e.g., dark mode, notification settings) | Yes — via browser settings |
| Analytics | Understanding how users navigate the Service | Yes — via browser settings; implementation in progress |
12.2 No Advertising Cookies. We do not place or allow advertising network cookies.
13. International Data Transfers
Phareon LLC is based in the United States. For transfers of personal information from the EEA or UK to the United States, we rely on Standard Contractual Clauses (EU SCCs) and, for UK transfers, the UK International Data Transfer Addendum (IDTA).
14. Your Privacy Rights — Summary
Regardless of your location, you have the right to access, correct, delete, or export your personal information, and to opt out of marketing. To exercise any right, email privacy@collegeroster.org with subject line “Privacy Rights Request.”
15. Changes to This Privacy Policy
For material changes, we will provide at least 30 days' advance notice via email to your registered address and via a prominent in-app notification.
16. Contact — Privacy Questions
Privacy Team: privacy@collegeroster.org
Mailing Address:
Phareon LLC
Attn: Privacy
9111 Cross Park Drive, Ste D200, Knoxville, TN 37923
EU/UK Representative: Not appointed. See Section 6.2.
For parental or guardian inquiries about a minor user's account, email privacy@collegeroster.org with the subject line “Minor Account — Parental Inquiry.”
Phareon LLC is a Tennessee limited liability company.